SQL Injection Playground
Learn how SQL injection attacks work and how to prevent them
SQL Query Builder
Query Protection
Toggle between safe parameterized queries and unsafe string concatenation
Username Input
Using parameterized queries (safe)
1
Common SQL Injection Attacks
Try these common SQL injection payloads to see how they work:
Normal Input
testuserA legitimate username input
Basic Comment Injection
admin' --Comments out the rest of the query
Authentication Bypass
' OR '1'='1Makes the WHERE clause always true
UNION Attack
' UNION SELECT * FROM passwords --Attempts to read from other tables
Destructive Attack
'; DROP TABLE users; --Tries to delete database tables
Data Extraction
' OR 1=1 UNION SELECT username, password FROM users --Combines results from multiple tables
Understanding SQL Injection
How It Works
SQL injection occurs when user input is directly concatenated into SQL queries without proper sanitization. Attackers can manipulate the query structure to:
- Bypass authentication
- Extract sensitive data
- Modify or delete data
- Execute administrative operations
Prevention Methods
- Use Parameterized Queries: Also known as prepared statements, these separate SQL logic from data
- Input Validation: Validate and sanitize all user inputs
- Least Privilege: Database users should have minimal required permissions
- Escape Special Characters: When parameterized queries aren't available
Safe Code Example
// Safe: Using parameterized query
const query = 'SELECT * FROM users WHERE username = ?';
db.query(query, [username], (err, results) => {
// Handle results
});
// Unsafe: String concatenation
const query = `SELECT * FROM users WHERE username = '${username}'`;
// DON'T DO THIS!